summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTed Trask <ttrask01@yahoo.com>2008-10-07 17:31:24 +0000
committerTed Trask <ttrask01@yahoo.com>2008-10-07 17:31:24 +0000
commitc92a68f62a048c9ea2664404096b7400ba4b1e9c (patch)
tree4f9cb32e37cc40ee0fec6072ad912bff69aec20e
parent9815d806cc53c6f2bf0154f6fa3bc4fbccaaacd9 (diff)
downloadacf-shorewall-c92a68f62a048c9ea2664404096b7400ba4b1e9c.tar.bz2
acf-shorewall-c92a68f62a048c9ea2664404096b7400ba4b1e9c.tar.xz
Modified modelfunctions library to include validation in get/setfiledetails. Modified all uses to validate the file name - this was a major security hole.
git-svn-id: svn://svn.alpinelinux.org/acf/shorewall/trunk@1542 ab2d0c66-481e-0410-8bed-d214d4d58bed
-rw-r--r--shorewall-model.lua23
1 files changed, 8 insertions, 15 deletions
diff --git a/shorewall-model.lua b/shorewall-model.lua
index 0130b78..f3c1e50 100644
--- a/shorewall-model.lua
+++ b/shorewall-model.lua
@@ -217,29 +217,22 @@ function getfilelist ()
return cfe({ type="list", value=listed_files, label="Shorewall File List" })
end
-function getfiledetails(filename)
- --Validate filename
+local function is_valid_filename(filename)
local available_files = getfilelist()
for i,file in ipairs(available_files.value) do
if file.filename == filename then
- return modelfunctions.getfiledetails(filename)
+ return true
end
end
- local retval = modelfunctions.getfiledetails("")
- retval.value.filename.value = filename
- return retval
+ return false
+end
+
+function getfiledetails(filename)
+ return modelfunctions.getfiledetails(filename, is_valid_filename)
end
function updatefiledetails (filedetails)
- local available_files = getfilelist()
- for i,file in ipairs(available_files.value) do
- if file.filename == filedetails.value.filename.value then
- return modelfunctions.setfiledetails(filedetails)
- end
- end
- filedetails.value.filename.errtxt = "Invalid Filename"
- filedetails.errtxt = "Failed to save file"
- return filedetails
+ return modelfunctions.setfiledetails(filedetails, is_valid_filename)
end
--[[